plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know
Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of the worst security breaches ever in a public K-12 school system, confidential data for thousands of students including, in some cases, medical information and Social Security numbers were accidentally posted online. Laptop theft puts 40,000 school employees at risk (The Daily Journal, April 6, 2007) Two laptop computers containing the names and Social Security numbers of about 40,000 current and former employees were stolen from district headquarters.
Tomorrow s Headline Let s hope not Latest data security risk for schools: Copiers (eschool News, May 17, 2007) As schools take steps to protect the security of data on their computer networks, experts warn they also should consider securing copiers and scanners that could be used to copy sensitive information. Coach sued for requesting students Facebook logins (eschool News, September 2009) A high school cheerleader is suing her school and former A high school cheerleader is suing her school and former coach, claiming violation of privacy and free speech
Privacy and Security Privacy What should be protected? Obtain permission before disclosing personal information Those handling medical data must account for disclosures and limit disclosure for purposes other than for treatment Allow parents/students to obtain copies of records and request amendments to records Affects paper and oral communication Security How should it be protected? Procedures to guard data integrity, confidentiality, and availability Restriction of access to information by physical and technical safeguards Technical system standards to prevent unauthorized access to data transmitted over a communications network
Personal Information Definition varies from state to state Most states, include an individual s first name or first initial and last name in combination with any of the following: SSN Di Drivers license number or State t ID card number Account numbers, credit, or debit card numbers along with security or access codes or passwords Some states also include tax payer ID, biometric data (e.g., fingerprint, voice print, retina, or iris image), passport p numbers, DOB, and digital signatures
Personal Information Majority of states prohibit use of more than 4 digits of SSN for various purposes Various exceptions as dictated by law Must notify of potential breach If data containing personal information is lost, stolen, or inadvertently disclosed A few states require notification of any data breach Most states require notification when harm to potential victims is likely or reasonably likely. Residence of affected individuals id determines applicable notice law
Personal Information Know where your data is Hosted Server within the district Laptops Thumb drives Make sure you have an incident response plan in place Personal information on a portable device Personal information on a portable device consider encryption
What do we have to comply pywith? FERPA HIPAA CIPA PCI ediscovery
The list will continue to grow
Family Educational Rights and Privacy Act (FERPA) Federal student education records law Its two main goals are: 1) Guarantee access to student educational records by students 2) Prevent unauthorized disclosure of educational records Educational Records are records, files, documents, or other materials that: t 1) Contain information directly related to a student 2) Are maintained by an educational agency or institution or by 2) Are maintained by an educational agency or institution or by a person acting for such agency or institution.
FERPA January 2009 Revision Expanded school official exception to include contractors/consultants/ hosting providers Have vendors sign acceptable use policy indicating compliance with FERPA Clarified that remote students are covered by FERPA Expanded definition of personal identifiers Several other changes as well
HIPAA Health Insurance Portability & Accountability Act The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans." It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI = information about health status, provision of health care, or payment for health care that can be linked to an individual. Broadly interpreted - any part of a patient s medical record or payment history. Need to keep data secure and private Overlap between FERPA and HIPAA
Children s Internet Protection Act (CIPA) Federal law Addresses concerns about access to offensive content over the Internet on school and library computers. Applies to any school or library that receives funding from the E-rate program
Payment Card Industry (PCI) Data Security Standards aimed at preventing identity theft Applicable if you process, store or transmit credit card data The core of the PCI Data Security Standard (DSS) is a group of principles and accompanying requirements: Build and maintain a secure network Protect Cardholder data Maintain a Vulnerability Management Program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy
Payment Card Industry (PCI) Ongoing process Minimal transactions still subject to PCI DSS Number of transactions does dictate the steps necessary for compliance. Fines and other penalties for lack of compliance Not an IT-driven project must be driven by district p j y administration
ediscovery New amendments to the Federal Rules of Civil Procedures went into effect on December 1, 2006 Requires any organization that might be sued in federal court to have systems s for retrieving e electronic ec c data a Identifies Electronically Stored Information (ESI) Sets a time line for events surrounding discovery of ESI Obligation to preserve ESI when litigation is a reasonable possibility
ediscovery ESI has been interpreted to mean: Voicemail and Voice Recordings Instant Messaging ipod's Blogs Collaboration tools like Wiki's and SharePoint Proprietary Databases Thumb Drives The computer in your car RFID Info Internet Logs Phone Logs Credit Card Databases Shipping Databases Regular Email Third-party Email (Hotmail) Forensic Fragments Deleted Files Caches Cookies...
ediscovery Identify an ediscovery team Cross functional IT, HR, Legal Know where your data is Make sure your document retention policy applies to email and other ESI Consider periodic checks to make sure staff are complying
Additional Challenges Social Networking Portability of data Technology natives Increasing fraud incidents New technologies Web 2.0 Web-based email
Data Security: Threats Sources of threats & remediation factors that need to be considered: Network Logons Email / Phishing Malware, Viruses Wireless Networks Social Engineering Rouge apples Complexity in passwords (security policy) Providing secure access and training Implementing products and training Authorized access and encryption Training Threats are inside (students and staff) and outside (strangers, community)
Security Program Made Simple Implement. Enforce. Maintain. Monitor. Interruptions Interceptions Modifications Fabrication Prevention Protection Recovery Detection Investigation i People Administrators Teachers Staff Students Third-parties Process Physical Security Logical Security User Management Password Management Business Continuity Change Management Systems Development Incident Response Training Policies & Procedures Technology Firewall User Access Software Remote Access Software VPN Technology Encryption Biometrics Antivirus Access Cards IDS/IPS
Data Security: Security Policy A secure network starts with a strong security policy Protecting your data 3 Key factors (C.I.A.) Confidentiality Protecting data from unauthorized access Integrity Protecting data from unauthorized modifications Availability Making sure that data is available at all times
Data Security: Security Policy Security ypolicy should address who needs access, who can modify the data, and how data and availability is protected. Some guidelines for a security policy: High-level document - defines the purpose and scope of the policy Define responsibilities, limitations, emergency procedures Define consequences of failing to comply with these requirements Need involvement of HR, Business and IT
Data Security: Security Policy Avoid tying the policy to particular systems or technology Should be reviewed / updated on a periodic (annual or semiannual) basis Policy should not include specifics; use procedural document for details
Data Security: Security Policy Security is a Balancing Act between Securing Data and Providing Flexibility Connectivity Performance Ease of Use Access Identity Integrity Active Audit Security
Security Framework Administrative Controls Policies i Risk assessment Assign security responsibility User access process (new user, terminations, ti changes) Access authorization Security awareness & training Security incident response Contingency planning / data backup Physical Controls Facility access controls Workstation controls Device and media controls Technical Controls Authentication ti ti controls (password, etc.) Access controls (operating system, application) Audit controls (monitoring and testing) Encryption controls Architecture controls (firewalls, VPN, etc.) Configuration controls Vendor Management Controls Contract language (confidentiality, ownership, regulatory and legal compliance) Security audit, SAS70 Vendor access control Vendor copies of confidential information
Data Security: Not a one time fix!
Digital Forensics The application of computer science and investigative procedures for a legal purpose. Employs validated processes to properly secure / collect evidence Chain of custody for potential evidence Finding pertinent data Documents Malicious Code Analyzing properties of the data and systems Validating the data accuracy and source Repeatability bl of processes used Presentability (attorneys and court) * Forensic Magazine 37
What Can Be Discovered with Forensics? Recover and search deleted files, formatted drives, email, and other data thought to be erased Examine file related metadata File creation, modification, deletion, and last accessed dates User ID used to create modify and access data Operating system artifacts When and to what printer a file was printed If a web site was accessed via a link or typed in If a USB drive was connected and what type 39
Common Issues with Digital Forensics Easy to spoil evidence - Consider the impact of such simple actions as logging out the subject user or examining the system. Secure an image first. Some organizations miss evidence because they do not secure all of the possible sources of evidence. Shared computers provides a common defense; counter with wellenforced password policies and interviews Incorrect conclusions must have deep technical expertise. Many states are requiring computer forensic experts to have a Private Investigator (PI) license to perform forensic work 40
Summary: Questions you should ask Do you know what statutes and laws apply? (most likely more than just state laws) What data/assets are you/should you be protecting? Who has access to this data? Limit access. What is currently in place to protect this data? Policies/procedures/agreements Policies regarding leaving laptops in cars, etc. IT measures Secure network Encrypted hard drives and thumb drives Encrypted laptops Are the portals secure? Is paper secure? What are your destruction policies?
Summary: Questions you should ask What are your document retention policies? Does policy apply to ESI? Are staff complying with policy? Is a crisis response team in place? Security incidents ediscovery Do you have a written crisis/emergency checklist?
Summary: Questions you should ask Do you already have legal and technical experts familiar with this area and your organization? Don t want to learn during a crisis. Do you have insurance coverage? Should you?
Questions
plantemoran.com Contact t Information Judy Wright Judy.wright@plantemoran.com t 248.223.3304 Marvin Sauer Marvin.sauer@plantemoran.com 248.223.3120